### Use secret variables

The following Dagger Function accepts a GitHub personal access token as a `Secret`, and uses the `Secret` to authorize a request to the GitHub API. The secret may be sourced from the host (via an environment variable, host file, or host command) or from an external secrets manager (1Password or Vault):

<Tabs groupId="language" queryString="sdk">
<TabItem value="go" label="Go">

```go file=../../../cookbook/snippets/secret-variable/go/main.go
```

</TabItem>
<TabItem value="python" label="Python">

```python file=../../../cookbook/snippets/secret-variable/python/main.py
```

</TabItem>
<TabItem value="typescript" label="TypeScript">

```typescript file=../../../cookbook/snippets/secret-variable/typescript/index.ts
```

</TabItem>
</Tabs>

#### Using Environment Variables
You can use a secret sourced from an environment variable by running the following command:

<Tabs groupId="shell">
<TabItem value="System shell">
```shell
dagger -c 'github-api env://GITHUB_API_TOKEN'
```
</TabItem>
<TabItem value="Dagger Shell">
```shell title="First type 'dagger' for interactive mode."
github-api env://GITHUB_API_TOKEN
```
</TabItem>
<TabItem value="Dagger CLI">
```shell
dagger call github-api --token=env://GITHUB_API_TOKEN
```
</TabItem>
</Tabs>

#### Passing Files
You can also pass files to secrets by following the example below:

<Tabs groupId="shell">
<TabItem value="System shell">
```shell
dagger -c 'github-api file://./github.txt'
```
</TabItem>
<TabItem value="Dagger Shell">
```shell title="First type 'dagger' for interactive mode."
github-api file://./github.txt
```
</TabItem>
<TabItem value="Dagger CLI">
```shell
dagger call github-api --token=file://./github.txt
```
</TabItem>
</Tabs>

#### Secrets from command output

Secrets also support capturing data from running commands.

<Tabs groupId="shell">
<TabItem value="System shell">
```shell
dagger -c 'github-api cmd://"gh auth token"'
```
</TabItem>
<TabItem value="Dagger Shell">
```shell title="First type 'dagger' for interactive mode."
github-api cmd://"gh auth token"
```
</TabItem>
<TabItem value="Dagger CLI">
```shell
dagger call github-api --token=cmd://"gh auth token"
```
</TabItem>
</Tabs>

#### 1Password
Use a secret from 1Password:

:::note
If using a [1Password service account](https://developer.1password.com/docs/service-accounts/), ensure that the `OP_SERVICE_ACCOUNT_TOKEN` environment variable is set.

```shell
export OP_SERVICE_ACCOUNT_TOKEN="mytoken"
```
:::

<Tabs groupId="shell">
<TabItem value="System shell">
```shell
dagger -c 'github-api op://infra/github/credential'
```
</TabItem>
<TabItem value="Dagger Shell">
```shell title="First type 'dagger' for interactive mode."
github-api op://infra/github/credential
```
</TabItem>
<TabItem value="Dagger CLI">
```shell
dagger call github-api --token=op://infra/github/credential
```
</TabItem>
</Tabs>

#### Hashicorp Vault

You can retrieve secrets from Hashicorp Vault.

:::note
Ensure that the `VAULT_ADDR` and either the `VAULT_TOKEN` or `VAULT_APPROLE_ROLE_ID` (for [Vault AppRole authentication](https://developer.hashicorp.com/vault/docs/auth/approle)) environment variables are set.

```shell
export VAULT_ADDR="https://127.0.0.1:8200"
export VAULT_TOKEN="gue55me7"
export VAULT_APPROLE_ROLE_ID="roleid-xxx-yyy-zzz"
```
:::

<Tabs groupId="shell">
<TabItem value="System shell">
```shell
dagger -c 'github-api vault://credentials.github'
```
</TabItem>
<TabItem value="Dagger Shell">
```shell title="First type 'dagger' for interactive mode."
github-api vault://credentials.github
```
</TabItem>
<TabItem value="Dagger CLI">
```shell
dagger call github-api --token=vault://credentials.github
```
</TabItem>
</Tabs>